willdot.net / at-container-registry
forked from evan.jarrett.net/at-container-registry
A container registry that uses the AT Protocol for manifest storage and S3 for blob storage.
0
fork

Configure Feed

Select the types of activity you want to include in your feed.

use presigned urls for s3 to avoid hold bandwidth

Evan Jarrett 3fad4739 b9619ad7

+186 -60
+6
.env.hold.example
··· 16 16 17 17 # Storage driver type (s3, filesystem) 18 18 # Default: s3 19 + # 20 + # S3 Presigned URLs: 21 + # When using S3 storage, presigned URLs are automatically enabled for direct 22 + # client ↔ S3 transfers. This eliminates the hold service as a bandwidth 23 + # bottleneck, reducing hold bandwidth by ~99% for push/pull operations. 24 + # Falls back to proxy mode automatically for non-S3 drivers. 19 25 STORAGE_DRIVER=filesystem 20 26 21 27 # For S3/Storj/Minio:
+10 -31
Dockerfile.appview
··· 1 - # ========================================== 2 - # Stage 1: Build stage with Debian (glibc) 3 - # ========================================== 4 1 FROM golang:1.25.2-trixie AS builder 5 2 6 - # Install SQLite development libraries (for CGO compilation) 7 3 RUN apt-get update && \ 8 4 apt-get install -y --no-install-recommends sqlite3 libsqlite3-dev && \ 9 5 rm -rf /var/lib/apt/lists/* 10 6 11 - # Set working directory 12 7 WORKDIR /build 13 8 14 - # Copy go mod files and download dependencies (cached layer) 15 9 COPY go.mod go.sum ./ 16 10 RUN go mod download 17 11 18 - # Copy source code 19 12 COPY . . 20 13 21 - # Build optimized binary: 22 - # - CGO_ENABLED=1: Required for SQLite (mattn/go-sqlite3) 23 - # - -ldflags="-s -w": Strip debug symbols (~30% size reduction) 24 - # - -tags sqlite_omit_load_extension: Remove SQLite extension loading (~100KB savings) 25 - # - -trimpath: Remove build paths (reproducible builds) 26 - # SQLite is statically embedded in the binary (no runtime .so needed) 27 14 RUN CGO_ENABLED=1 go build \ 28 15 -ldflags="-s -w" \ 29 16 -tags sqlite_omit_load_extension \ 30 17 -trimpath \ 31 18 -o atcr-appview ./cmd/appview 32 19 33 - # Collect minimal runtime dependencies based on ldd output 34 - RUN mkdir -p /runtime-deps/lib/x86_64-linux-gnu /runtime-deps/lib64 && \ 35 - # Core glibc library (only one the binary links to) 36 - cp -L /lib/x86_64-linux-gnu/libc.so.6 /runtime-deps/lib/x86_64-linux-gnu/ && \ 37 - # Dynamic linker 38 - cp -L /lib64/ld-linux-x86-64.so.2 /runtime-deps/lib64/ && \ 39 - # NSS modules for DNS resolution (loaded via dlopen at runtime, not shown in ldd) 40 - cp -L /lib/x86_64-linux-gnu/libnss_dns.so.2 /runtime-deps/lib/x86_64-linux-gnu/ && \ 41 - cp -L /lib/x86_64-linux-gnu/libnss_files.so.2 /runtime-deps/lib/x86_64-linux-gnu/ && \ 42 - # NSS modules depend on libresolv 43 - cp -L /lib/x86_64-linux-gnu/libresolv.so.2 /runtime-deps/lib/x86_64-linux-gnu/ && \ 20 + # Collect minimal runtime dependencies 21 + RUN mkdir -p /runtime-deps/lib64 /runtime-deps/lib/x86_64-linux-gnu && \ 22 + # Core glibc libraries (from ldd output) 23 + cp /lib/x86_64-linux-gnu/libc.so.6 /runtime-deps/lib64/ && \ 24 + cp /lib/x86_64-linux-gnu/libresolv.so.2 /runtime-deps/lib64/ && \ 25 + cp /lib64/ld-linux-x86-64.so.2 /runtime-deps/lib64/ && \ 26 + # NSS (Name Service Switch) modules for DNS resolution 27 + cp /lib/x86_64-linux-gnu/libnss_dns.so.2 /runtime-deps/lib/x86_64-linux-gnu/ && \ 28 + cp /lib/x86_64-linux-gnu/libnss_files.so.2 /runtime-deps/lib/x86_64-linux-gnu/ && \ 44 29 # Create NSS config (tells glibc to check /etc/hosts then DNS) 45 30 echo "hosts: files dns" > /tmp/nsswitch.conf 46 31 ··· 51 36 52 37 # Copy minimal glibc runtime dependencies 53 38 COPY --from=builder /runtime-deps / 54 - 55 39 # Copy NSS configuration for DNS resolution 56 40 COPY --from=builder /tmp/nsswitch.conf /etc/nsswitch.conf 57 - 58 41 # Copy CA certificates for HTTPS (PDS, Jetstream, relay connections) 59 42 COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ 60 - 61 43 # Copy timezone data for timestamp formatting 62 44 COPY --from=builder /usr/share/zoneinfo /usr/share/zoneinfo 63 - 64 45 # Copy optimized binary (SQLite embedded) 65 46 COPY --from=builder /build/atcr-appview /atcr-appview 66 47 67 - # Expose port (main HTTP server) 48 + # Expose ports 68 49 EXPOSE 5000 69 50 70 51 # OCI image annotations ··· 77 58 org.opencontainers.image.version="0.1.0" \ 78 59 io.atcr.icon="https://imgs.blue/evan.jarrett.net/1TpTNrRelfloN2emuWZDrWmPT0o93bAjEnozjD6UPgoVV9m4" 79 60 80 - # Run the AppView (no config file - uses environment variables) 81 - # Creates /var/lib/atcr directories on first run via Go code 82 61 ENTRYPOINT ["/atcr-appview"] 83 62 CMD ["serve"]
+8 -8
cmd/appview/config.go
··· 97 97 storage["maintenance"] = configuration.Parameters{ 98 98 "uploadpurging": map[interface{}]interface{}{ 99 99 "enabled": false, 100 - "age": 7 * 24 * time.Hour, // 168h 101 - "interval": 24 * time.Hour, // 24h 100 + "age": 7 * 24 * time.Hour, // 168h 101 + "interval": 24 * time.Hour, // 24h 102 102 "dryrun": false, 103 103 }, 104 104 } ··· 141 141 142 142 return configuration.Auth{ 143 143 "token": configuration.Parameters{ 144 - "realm": realm, 145 - "service": serviceName, 146 - "issuer": serviceName, 147 - "rootcertbundle": certPath, 148 - "privatekey": privateKeyPath, 149 - "expiration": expiration, 144 + "realm": realm, 145 + "service": serviceName, 146 + "issuer": serviceName, 147 + "rootcertbundle": certPath, 148 + "privatekey": privateKeyPath, 149 + "expiration": expiration, 150 150 }, 151 151 }, nil 152 152 }
+5 -5
cmd/appview/serve.go
··· 33 33 34 34 // Define sensitive tables that should never be accessible from public queries 35 35 var sensitiveTables = map[string]bool{ 36 - "oauth_sessions": true, // OAuth tokens 37 - "ui_sessions": true, // Session IDs 38 - "oauth_auth_requests": true, // OAuth state 39 - "devices": true, // Device secret hashes 40 - "pending_device_auth": true, // Pending device secrets 36 + "oauth_sessions": true, // OAuth tokens 37 + "ui_sessions": true, // Session IDs 38 + "oauth_auth_requests": true, // OAuth state 39 + "devices": true, // Device secret hashes 40 + "pending_device_auth": true, // Pending device secrets 41 41 } 42 42 43 43 // readOnlyAuthorizerCallback blocks access to sensitive tables
+151 -10
cmd/hold/main.go
··· 12 12 "strings" 13 13 "time" 14 14 15 + "github.com/aws/aws-sdk-go/aws" 16 + "github.com/aws/aws-sdk-go/aws/credentials" 17 + "github.com/aws/aws-sdk-go/aws/session" 18 + "github.com/aws/aws-sdk-go/service/s3" 15 19 "github.com/distribution/distribution/v3/configuration" 16 20 storagedriver "github.com/distribution/distribution/v3/registry/storage/driver" 17 21 "github.com/distribution/distribution/v3/registry/storage/driver/factory" ··· 70 74 71 75 // HoldService provides presigned URLs for blob storage in a hold 72 76 type HoldService struct { 73 - driver storagedriver.StorageDriver 74 - config *Config 77 + driver storagedriver.StorageDriver 78 + config *Config 79 + s3Client *s3.S3 // S3 client for presigned URLs (nil if not S3 storage) 80 + bucket string // S3 bucket name 81 + s3PathPrefix string // S3 path prefix (if any) 75 82 } 76 83 77 84 // NewHoldService creates a new hold service ··· 83 90 return nil, fmt.Errorf("failed to create storage driver: %w", err) 84 91 } 85 92 86 - return &HoldService{ 93 + service := &HoldService{ 87 94 driver: driver, 88 95 config: cfg, 89 - }, nil 96 + } 97 + 98 + // Initialize S3 client for presigned URLs (if using S3 storage) 99 + if err := service.initS3Client(); err != nil { 100 + log.Printf("WARNING: S3 presigned URLs disabled: %v", err) 101 + } 102 + 103 + return service, nil 104 + } 105 + 106 + // initS3Client initializes the S3 client for presigned URL generation 107 + // Returns nil error if S3 client is successfully initialized 108 + // Returns error if storage is not S3 or if initialization fails (service will fall back to proxy mode) 109 + func (s *HoldService) initS3Client() error { 110 + // Check if storage driver is S3 111 + if s.config.Storage.Type() != "s3" { 112 + log.Printf("Storage driver is %s (not S3), presigned URLs disabled", s.config.Storage.Type()) 113 + return nil // Not an error - just using different driver 114 + } 115 + 116 + // Extract S3 configuration from storage parameters 117 + params, ok := s.config.Storage.Parameters()["s3"].(configuration.Parameters) 118 + if !ok { 119 + return fmt.Errorf("failed to get S3 parameters from storage config") 120 + } 121 + 122 + // Extract required S3 configuration 123 + region, _ := params["region"].(string) 124 + if region == "" { 125 + region = "us-east-1" // Default region 126 + } 127 + 128 + accessKey, _ := params["accesskey"].(string) 129 + secretKey, _ := params["secretkey"].(string) 130 + bucket, _ := params["bucket"].(string) 131 + 132 + if bucket == "" { 133 + return fmt.Errorf("S3 bucket not configured") 134 + } 135 + 136 + // Build AWS config 137 + awsConfig := &aws.Config{ 138 + Region: aws.String(region), 139 + } 140 + 141 + // Add credentials if provided (allow IAM role auth if not provided) 142 + if accessKey != "" && secretKey != "" { 143 + awsConfig.Credentials = credentials.NewStaticCredentials(accessKey, secretKey, "") 144 + } 145 + 146 + // Add custom endpoint for S3-compatible services (Storj, MinIO, R2, etc.) 147 + if endpoint, ok := params["regionendpoint"].(string); ok && endpoint != "" { 148 + awsConfig.Endpoint = aws.String(endpoint) 149 + awsConfig.S3ForcePathStyle = aws.Bool(true) // Required for MinIO, Storj 150 + } 151 + 152 + // Create AWS session 153 + sess, err := session.NewSession(awsConfig) 154 + if err != nil { 155 + return fmt.Errorf("failed to create AWS session: %w", err) 156 + } 157 + 158 + // Create S3 client 159 + s.s3Client = s3.New(sess) 160 + s.bucket = bucket 161 + 162 + // Extract path prefix if configured (rootdirectory in S3 params) 163 + if rootDir, ok := params["rootdirectory"].(string); ok && rootDir != "" { 164 + s.s3PathPrefix = strings.TrimPrefix(rootDir, "/") 165 + } 166 + 167 + log.Printf("S3 presigned URLs enabled for bucket: %s", s.bucket) 168 + if s.s3PathPrefix != "" { 169 + log.Printf("S3 path prefix: %s", s.s3PathPrefix) 170 + } 171 + 172 + return nil 90 173 } 91 174 92 175 // GetPresignedURLRequest represents a request for a presigned download URL ··· 491 574 return "", fmt.Errorf("blob not found: %w", err) 492 575 } 493 576 494 - // For drivers that support presigned URLs (S3), use those 495 - // For now, return a proxy URL through this service with DID for authorization 496 - return fmt.Sprintf("%s/blobs/%s?did=%s", s.config.Server.PublicURL, digest, did), nil 577 + // If S3 client available, generate presigned URL 578 + if s.s3Client != nil { 579 + // Build S3 key from blob path 580 + // blobPath returns paths like: /docker/registry/v2/blobs/sha256/ab/abc123.../data 581 + s3Key := strings.TrimPrefix(path, "/") 582 + if s.s3PathPrefix != "" { 583 + s3Key = s.s3PathPrefix + "/" + s3Key 584 + } 585 + 586 + // Generate presigned GET URL 587 + req, _ := s.s3Client.GetObjectRequest(&s3.GetObjectInput{ 588 + Bucket: aws.String(s.bucket), 589 + Key: aws.String(s3Key), 590 + }) 591 + 592 + url, err := req.Presign(15 * time.Minute) 593 + if err != nil { 594 + log.Printf("WARN: Presigned URL generation failed for %s, falling back to proxy: %v", digest, err) 595 + return s.getProxyDownloadURL(digest, did), nil 596 + } 597 + 598 + log.Printf("Generated presigned download URL for %s (expires in 15min)", digest) 599 + return url, nil 600 + } 601 + 602 + // Fallback: return proxy URL through this service 603 + return s.getProxyDownloadURL(digest, did), nil 604 + } 605 + 606 + // getProxyDownloadURL returns a proxy URL for blob download (fallback when presigned URLs unavailable) 607 + func (s *HoldService) getProxyDownloadURL(digest, did string) string { 608 + return fmt.Sprintf("%s/blobs/%s?did=%s", s.config.Server.PublicURL, digest, did) 497 609 } 498 610 499 611 // getUploadURL generates an upload URL for a blob 500 612 // Note: This is called from HandlePutPresignedURL which has the DID in the request 501 613 func (s *HoldService) getUploadURL(ctx context.Context, digest string, size int64, did string) (string, error) { 502 - // For drivers that support presigned URLs (S3), use those 503 - // For now, return a proxy URL through this service with DID for authorization 504 - return fmt.Sprintf("%s/blobs/%s?did=%s", s.config.Server.PublicURL, digest, did), nil 614 + // If S3 client available, generate presigned URL 615 + if s.s3Client != nil { 616 + // Build S3 key from blob path 617 + path := blobPath(digest) 618 + s3Key := strings.TrimPrefix(path, "/") 619 + if s.s3PathPrefix != "" { 620 + s3Key = s.s3PathPrefix + "/" + s3Key 621 + } 622 + 623 + // Generate presigned PUT URL 624 + req, _ := s.s3Client.PutObjectRequest(&s3.PutObjectInput{ 625 + Bucket: aws.String(s.bucket), 626 + Key: aws.String(s3Key), 627 + }) 628 + 629 + url, err := req.Presign(15 * time.Minute) 630 + if err != nil { 631 + log.Printf("WARN: Presigned URL generation failed for %s, falling back to proxy: %v", digest, err) 632 + return s.getProxyUploadURL(digest, did), nil 633 + } 634 + 635 + log.Printf("Generated presigned upload URL for %s (expires in 15min)", digest) 636 + return url, nil 637 + } 638 + 639 + // Fallback: return proxy URL through this service 640 + return s.getProxyUploadURL(digest, did), nil 641 + } 642 + 643 + // getProxyUploadURL returns a proxy URL for blob upload (fallback when presigned URLs unavailable) 644 + func (s *HoldService) getProxyUploadURL(digest, did string) string { 645 + return fmt.Sprintf("%s/blobs/%s?did=%s", s.config.Server.PublicURL, digest, did) 505 646 } 506 647 507 648 // RegisterRequest represents a request to register this hold in a user's PDS
+1 -1
go.mod
··· 3 3 go 1.24.7 4 4 5 5 require ( 6 + github.com/aws/aws-sdk-go v1.55.5 6 7 github.com/bluesky-social/indigo v0.0.0-20251003000214-3259b215110e 7 8 github.com/distribution/distribution/v3 v3.0.0 8 9 github.com/distribution/reference v0.6.0 ··· 19 20 ) 20 21 21 22 require ( 22 - github.com/aws/aws-sdk-go v1.55.5 // indirect 23 23 github.com/beorn7/perks v1.0.1 // indirect 24 24 github.com/bshuster-repo/logrus-logstash-hook v1.0.0 // indirect 25 25 github.com/carlmjohnson/versioninfo v0.22.5 // indirect
+4 -4
pkg/appview/db/schema.go
··· 196 196 197 197 // Migration represents a database migration 198 198 type Migration struct { 199 - Version int 200 - Name string 201 - Description string `yaml:"description"` 202 - Query string `yaml:"query"` 199 + Version int 200 + Name string 201 + Description string `yaml:"description"` 202 + Query string `yaml:"query"` 203 203 } 204 204 205 205 // runMigrations applies any pending database migrations
+1 -1
pkg/appview/jetstream/worker.go
··· 46 46 pongMutex sync.Mutex 47 47 48 48 // In-memory cursor tracking for reconnects 49 - lastCursor int64 49 + lastCursor int64 50 50 cursorMutex sync.RWMutex 51 51 } 52 52